INC-219086 · Issue 724268
Keypair handling updated
Resolved in Pega Version 8.8
Rest API calls were failing with invalid token error in production due to the keypairs used to encrypt the access token being different for each node. This happened when the keypair cache was maintained at node level instead of being retrieved from a database each time; when a keypair expired, a new keypair was created for each node instead of sharing one because the updates to keypair were not properly communicated among the nodes. To resolve this, a check has been added to see if a new keypair is already available in the database before creating a new keypair, handling has been added for any DuplicateKeyException that might occur while saving a keypair to the database, and a pxCreateDateTime has been added while storing the new keypair in the database. Please also note that the default key rotation period is now 180 days and can be adjusted through the setting AccessToken/KeyRotationInterval.
INC-220928 · Issue 739155
Added handling for Node Level Data Pages not loading automatically
Resolved in Pega Version 8.8
After update, the MQ listeners were not starting. This was traced to the Global Resource Setting references in the listener rules that utilize data page lookups; MQ listeners started as expected when they were hard-coded with the values present on the data page. Investigation showed this was caused by the activity running in an unauthenticated context, and has been resolved by allowing the app requestor to skip authentication.
INC-222213 · Issue 722509
Updated support for Client Assertion in Open ID Connect to generate unique JTI
Resolved in Pega Version 8.8
Following an update with an enhancement which added UI and code changes to support Client Assertion in Open ID Connect, the token expiry and issue dates were not getting set properly and the JTI was not getting generated. This has been resolved by adding code to generate a unique client_assertion on OIDC login with private_key_jwt so the JTI in client assertion will be be unique for every login.
INC-222404 · Issue 727870
AccessToken can be used for both OIDC SSO and Connect-REST
Resolved in Pega Version 8.8
When trying to specify the AuthenticationProfile with grant_type ‘authorization_code’ in the Connect-REST rule, the AccessToken was not being retrieved, and the error "services.OutboundMappingException: Caught Exception while creating OAuth2 client, Caused by: PRRuntimeException: Unable to obtain access token for client details in authentication profile configured for connector" was generated. The usage case desired is to use the same token for both OIDC SSO and Connect-REST. This worked when the scope was the same, but the key was constructed with a space between the scope and the operator ID while saving the token to the cache. The constructed key did not have this space when fetching the token during Connect-REST. To support the desired use, logic has been added to make the appropriate trim for scope in cache key generation in oauth2clientimpl.
INC-225503 · Issue 737019
DSS added to configure outflow signature digest method algorithm
Resolved in Pega Version 8.8
After update, a change was seen in the digest method of a SOAP response. The site was configured to use WS-Security Profile SHA-1 as the digest algorithm, but the warning from the testing tool WCF (Windows Communication Foundation) indicated this was not being followed with the message "the algorithm 'xmlenc#sha256' is not accepted for operation 'Digest'". For better compatibility, the DSS outflowSignatureDigestAlgorithm has been added to support configuring the outflow signature digest method algorithm.
INC-225840 · Issue 730754
Key ID made optional for JWT
Resolved in Pega Version 8.8
After update, Connect-REST services were failing with a Admin_Security_Token.Action error. This was traced to kID (key ID) being mandated following previous work done to address an issue. To resolve this and better support backwards compatibility, the kID has been made optional in the JWT header.
INC-226479 · Issue 727465
Cross-site scripting filters added to redirect parameters
Resolved in Pega Version 8.8
Cross-site scripting protections have been added to Param.redirect to improve security.
INC-227736 · Issue 744475
Added polling lock to handle CDK Key rotation issues
Resolved in Pega Version 8.8
An error was generated when attempting to open existing encrypted contacts created in the Sales Automation application. This was traced to multiple nodes generating CDKs simultaneously, leading to a race condition, and has been resolved by refactoring the CDK generation code so it will acquire a lock when polling the database to avoid a race condition.
INC-227769 · Issue 731726
ReloadHarness security updated
Resolved in Pega Version 8.8
Security handling has been updated for ReloadHarness to ensure proper CSRF validation.
INC-228169 · Issue 729003
Login error messages updated
Resolved in Pega Version 8.8
Exception response messages have been updated in order to improve security around attempts to bypass operator authentication.